About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

How to Protect Yourself Against North Korean Fake Employees- 1763

knowbe4Posted 4 Months Ago
  • KnowBe4 had been searching for a principal-level developer and posted this job online. At the end of it, the employee hired was North Korean. The individual had stolen the identity of an American, allowing background checks and other procedures to pass.
  • Upon being onboarded, they were sent a MacBook at a different location than their resume stated. Once they accessed their computer, they attempted to add password-stealing Malware. The EDR on the laptop quickly noticed this, and the SOC team asked the new hire if everything was alright. He made confusing excuses, refused to hop on a call and then stopped responding on Slack altogether. Because of this weird behavior, the laptop was completely locked down from the network after only 25 minutes from the first alert.
  • Upon analyzing the laptop remotely, they realized that the Raspberry Pi was being used to access the keyboard, video, and mouse. This was to ensure that the laptop didn't have any weird TCP/IP traffic for remote access running that could be detected.
  • The sophistication has ramped up on this in the last 4 years, and the work-from-home (WFM) boom of COVID made this easier as well. Instead of flat-out fake identities, they decided to steal identities. NK started jumping on calls, which hadn't happened before. As such, they have documented some of these changes in this report. There are four parties involved: North Korean Program leaders, North Korean employees in other countries, non-Korean assistants, such as laptop farms and infrastructure for falsifying identities.
  • The criminal ecosystem assists the NKs with their fake-employee schemes. They will use fake, stolen, and purchased identities when applying for jobs. They have used forged/stolen driver's licenses, passports, diplomas, credit card statements and many other things. Stolen or purchased identities are preferred because they easily pass background checks. Sometimes, an individual gets involved to get paid even.
  • When operating these jobs, they run laptop farms in the same country and then give the NK's remote access to the devices. One of these laptop farms will sometimes have 90 different laptops from various employers. Instead of using the location on their resume, they almost always ship to this address, making it a tell-tale sign of a NK actor.
  • Fake employers are also problematic. They will give you a fantastic job, only to compromise your work or personal laptop in the process with malicious software they ask you to download. The main purpose of all of this is to bring in illegal money for North Korea.
  • At the end is a huge list of red flags. The ones for the hiring phase are as follows:
    • Asian descent with an English-looking name, went to a US university, but speaks English poorly with a heavy accent.
    • Identity information, work information and other checks will fail, unless stolen.
    • When interacting with them, there are a few signs as well. All connections will come from VPNs, the interview will be in a noisy call-center-like location, phone numbers they use are VOIP, and they may hesitate to be on camera.
    • Their Internet presence will only be for the links that they sent. It is common for information to contradict itself.
  • After hiring, a few things are noticable:
    • IP address doesn't match expected location. If it does, there's a remote login software on the laptop or other malware.
    • Work hours are inconsistent with company hours, and they won't jump on calls/respond promptly.
    • Inconsistent product quality, especially if it doesn't seem like the person who had actually been interviewed.
    • Payment requests are strange. Either weird banks or cryptocurrency.
    • Korean language support found on the laptop.
  • To prevent these types of attacks, check all of the information above. For instance, check references, if the numbers are VOIP, use cameras, etc. Asking questions about normal country things, such as "What is the name of that mascot of the college you went to?" is a good way to trip them up. Overall, a great and informative post on NK fake employee/employer scams.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed